7f0b2a81f626e3adc3bd82513df2dd77b0b40fd265985545c0224d7a71f2e946

Analysis

max time kernel
110s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4a1e33b47d579be62024186dae1fec0N.exe
Size

304KB
MD5

c4a1e33b47d579be62024186dae1fec0
SHA1

5379e8ba919b625d45114adfd3ae1cfdb317a184
SHA256

7f0b2a81f626e3adc3bd82513df2dd77b0b40fd265985545c0224d7a71f2e946
SHA512

0c8a7743566b2e8defc148610a7c262057672aa12f74b21c131be327d199fc5cf848a0b3c3c9a261baddb646b4437a29c3c59ad247a80c1fcba17b33b0ad3c03
SSDEEP

6144:y7egHJoHWjNqoxIjNxunXe8yhrtMsQBvli+RQFdq:y7eQJoHWjNVx+vAO8qRMsrOQF

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	c4a1e33b47d579be62024186dae1fec0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c4a1e33b47d579be62024186dae1fec0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe

Executes dropped EXE 27 IoCs

pid	Process
2404	Bmngqdpj.exe
4204	Bgcknmop.exe
224	Balpgb32.exe
2392	Bgehcmmm.exe
5116	Bmbplc32.exe
2480	Bhhdil32.exe
1444	Bmemac32.exe
4628	Chjaol32.exe
3320	Cndikf32.exe
4952	Cdabcm32.exe
4552	Cjkjpgfi.exe
1648	Chokikeb.exe
3108	Ceckcp32.exe
4024	Cjpckf32.exe
3428	Ceehho32.exe
2348	Cjbpaf32.exe
3416	Cegdnopg.exe
1264	Dfiafg32.exe
2504	Danecp32.exe
1132	Ddmaok32.exe
3972	Dfknkg32.exe
2732	Dmefhako.exe
4644	Dodbbdbb.exe
4876	Deokon32.exe
2972	Daekdooc.exe
4916	Dgbdlf32.exe
1692	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Daekdooc.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	c4a1e33b47d579be62024186dae1fec0N.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	c4a1e33b47d579be62024186dae1fec0N.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	c4a1e33b47d579be62024186dae1fec0N.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3544	1692	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4a1e33b47d579be62024186dae1fec0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	c4a1e33b47d579be62024186dae1fec0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c4a1e33b47d579be62024186dae1fec0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	c4a1e33b47d579be62024186dae1fec0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	c4a1e33b47d579be62024186dae1fec0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 2404	4872	c4a1e33b47d579be62024186dae1fec0N.exe	84
PID 4872 wrote to memory of 2404	4872	c4a1e33b47d579be62024186dae1fec0N.exe	84
PID 4872 wrote to memory of 2404	4872	c4a1e33b47d579be62024186dae1fec0N.exe	84
PID 2404 wrote to memory of 4204	2404	Bmngqdpj.exe	85
PID 2404 wrote to memory of 4204	2404	Bmngqdpj.exe	85
PID 2404 wrote to memory of 4204	2404	Bmngqdpj.exe	85
PID 4204 wrote to memory of 224	4204	Bgcknmop.exe	86
PID 4204 wrote to memory of 224	4204	Bgcknmop.exe	86
PID 4204 wrote to memory of 224	4204	Bgcknmop.exe	86
PID 224 wrote to memory of 2392	224	Balpgb32.exe	87
PID 224 wrote to memory of 2392	224	Balpgb32.exe	87
PID 224 wrote to memory of 2392	224	Balpgb32.exe	87
PID 2392 wrote to memory of 5116	2392	Bgehcmmm.exe	88
PID 2392 wrote to memory of 5116	2392	Bgehcmmm.exe	88
PID 2392 wrote to memory of 5116	2392	Bgehcmmm.exe	88
PID 5116 wrote to memory of 2480	5116	Bmbplc32.exe	89
PID 5116 wrote to memory of 2480	5116	Bmbplc32.exe	89
PID 5116 wrote to memory of 2480	5116	Bmbplc32.exe	89
PID 2480 wrote to memory of 1444	2480	Bhhdil32.exe	90
PID 2480 wrote to memory of 1444	2480	Bhhdil32.exe	90
PID 2480 wrote to memory of 1444	2480	Bhhdil32.exe	90
PID 1444 wrote to memory of 4628	1444	Bmemac32.exe	91
PID 1444 wrote to memory of 4628	1444	Bmemac32.exe	91
PID 1444 wrote to memory of 4628	1444	Bmemac32.exe	91
PID 4628 wrote to memory of 3320	4628	Chjaol32.exe	92
PID 4628 wrote to memory of 3320	4628	Chjaol32.exe	92
PID 4628 wrote to memory of 3320	4628	Chjaol32.exe	92
PID 3320 wrote to memory of 4952	3320	Cndikf32.exe	93
PID 3320 wrote to memory of 4952	3320	Cndikf32.exe	93
PID 3320 wrote to memory of 4952	3320	Cndikf32.exe	93
PID 4952 wrote to memory of 4552	4952	Cdabcm32.exe	94
PID 4952 wrote to memory of 4552	4952	Cdabcm32.exe	94
PID 4952 wrote to memory of 4552	4952	Cdabcm32.exe	94
PID 4552 wrote to memory of 1648	4552	Cjkjpgfi.exe	95
PID 4552 wrote to memory of 1648	4552	Cjkjpgfi.exe	95
PID 4552 wrote to memory of 1648	4552	Cjkjpgfi.exe	95
PID 1648 wrote to memory of 3108	1648	Chokikeb.exe	96
PID 1648 wrote to memory of 3108	1648	Chokikeb.exe	96
PID 1648 wrote to memory of 3108	1648	Chokikeb.exe	96
PID 3108 wrote to memory of 4024	3108	Ceckcp32.exe	98
PID 3108 wrote to memory of 4024	3108	Ceckcp32.exe	98
PID 3108 wrote to memory of 4024	3108	Ceckcp32.exe	98
PID 4024 wrote to memory of 3428	4024	Cjpckf32.exe	99
PID 4024 wrote to memory of 3428	4024	Cjpckf32.exe	99
PID 4024 wrote to memory of 3428	4024	Cjpckf32.exe	99
PID 3428 wrote to memory of 2348	3428	Ceehho32.exe	100
PID 3428 wrote to memory of 2348	3428	Ceehho32.exe	100
PID 3428 wrote to memory of 2348	3428	Ceehho32.exe	100
PID 2348 wrote to memory of 3416	2348	Cjbpaf32.exe	102
PID 2348 wrote to memory of 3416	2348	Cjbpaf32.exe	102
PID 2348 wrote to memory of 3416	2348	Cjbpaf32.exe	102
PID 3416 wrote to memory of 1264	3416	Cegdnopg.exe	103
PID 3416 wrote to memory of 1264	3416	Cegdnopg.exe	103
PID 3416 wrote to memory of 1264	3416	Cegdnopg.exe	103
PID 1264 wrote to memory of 2504	1264	Dfiafg32.exe	104
PID 1264 wrote to memory of 2504	1264	Dfiafg32.exe	104
PID 1264 wrote to memory of 2504	1264	Dfiafg32.exe	104
PID 2504 wrote to memory of 1132	2504	Danecp32.exe	105
PID 2504 wrote to memory of 1132	2504	Danecp32.exe	105
PID 2504 wrote to memory of 1132	2504	Danecp32.exe	105
PID 1132 wrote to memory of 3972	1132	Ddmaok32.exe	106
PID 1132 wrote to memory of 3972	1132	Ddmaok32.exe	106
PID 1132 wrote to memory of 3972	1132	Ddmaok32.exe	106
PID 3972 wrote to memory of 2732	3972	Dfknkg32.exe	107

C:\Users\Admin\AppData\Local\Temp\c4a1e33b47d579be62024186dae1fec0N.exe
"C:\Users\Admin\AppData\Local\Temp\c4a1e33b47d579be62024186dae1fec0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\Bmngqdpj.exe
  C:\Windows\system32\Bmngqdpj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\Bgcknmop.exe
    C:\Windows\system32\Bgcknmop.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\SysWOW64\Balpgb32.exe
      C:\Windows\system32\Balpgb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 416
        29⤵
        Program crash
        
        PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1692 -ip 1692
1⤵
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Balpgb32.exe

Filesize
304KB

MD5
136e75eb601f8284d4e9915b21a3e9f4

SHA1
470d31b7d74a50f3052c9dbdf1318e0ae4441205

SHA256
d70dddffd2ac91885566556b9df0a4ab024ff945bbe26d818bb75c0fb4065a69

SHA512
cf4a74cefd54db8acccacf8084d5c5231ec36e3af761ed38a6caea154f6283c0cd618c75d3f7e89c019665c94decaeb919ef104a5d260ffa88aeb92c2a6c38dd

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
304KB

MD5
e34f9875a3ed7810b8f7d2fe0ef22593

SHA1
3fa42af896c079bfa6b3c4ba7500c15e39cd37bf

SHA256
6abdc3a4b5417c4057f1da7e37d96e44584ae1dba931925f2fe3d41dde1b23b6

SHA512
e32501b63aa99a94e5b6cf281797ee47a923d39602ab657b86e8387e51907bf648791bbb5f4c70fa49d3005751322e05b562f8b9191fd061a7248429f45a016a

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
304KB

MD5
0e0832a9aca51bb9502f8d922e31cc2d

SHA1
d519086899d957e5a9fc3272d418c347a2fb9f02

SHA256
142d0141cf8bfa7a4ed4f56f0adbcfa9b630a434db806fba16993ea4f6205a13

SHA512
dae199ddecb7391b30f09541e87817fad3b3ff44536d331b2a07d3cc224bf1b0e1bd02a732d070b228114b990a5a2557c1f187df3b363af7d4bcb4bb4761ae54

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
304KB

MD5
a944d0a215494b084a27b97c4b0dc714

SHA1
5772642d10c90804953d862b8a90ec83d3dea0b4

SHA256
37b21a40f56762e7523aeb41a0472b77056d99b3d7152f5d32e9581ac7049a0a

SHA512
459ff3d31646a250b52e518e707374856935fadcb9764d48ee26501dd96db3342846958f046f37fa2a14b224e0d666c29762829d43c1f311bb630b9dc4ae1e3a

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
304KB

MD5
4603136d59b1123a7d8c36d2a8ecec16

SHA1
404144f39ad3c06d530626b34bba24273c3674a8

SHA256
41f8d9dfade385defd32750d64bf87dd6e3e5dec13c90809d05bb406010dcafb

SHA512
175fe50493d510e9d6e8f4b8ffd7a785951c20ea4b2cd4b49fec950565e62ec5983d80561604bb6e04240c92249d5c29cb26c29391330da11e00795a2e3fd4b4

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
304KB

MD5
03ec74883d3d5f2349c8abefbbe1c9b4

SHA1
51a09597c016ebf2fdd4b7d7db22b1c5b483570f

SHA256
2272951332650e2c7712d2c0cd710cd3f2a7985e2b5f5ae30452eef113244aa2

SHA512
71f679cf96a9a85d76f0b545fedb2864b756cc36ca82affdde72302775d753e109c9813c20e910900a5a5fcfdd1430385ec1dd29da68035889afec8bad7a4342

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
304KB

MD5
8e05ba33f58b75c1c8f49aa1b5189ccf

SHA1
c146bbc4105ea536b7eb0547b9c19ddaec2cde28

SHA256
9fde544f5a8402a108fdb84841b47bfb0cca3dc717a733ff0750d7100efdccc2

SHA512
9c0c295f7a2e5b12a1d185682679c9d386b7b9fb96eb78e536dd91dfdb66a2aac442d85b1217e2b272ff9293e0290af71c45caa9d84211f8dbfdc9939c6a1c92

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
304KB

MD5
0da36b74156036bfe193deab0a39ab8a

SHA1
9b3f397bd7211b3341d39521c7e3fa9464486730

SHA256
808ca42dfb3030c9a1434c4f93f2e16cc4b49f44979ecaf44da416567c7ae848

SHA512
c92848c102c10e0a63ef37f1aff237823f3a91f8b416d8fb893c04a6d032cd5004d4983c9bd3f6d6c234e920dca4b1f880af3c1307377fb2047a34f080371e8e

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
304KB

MD5
fd456d04323927d950d8fbd0af565cd9

SHA1
63058b9d6bcca816fcc90bc48499b6aa638c2c26

SHA256
77571cf57786c741972cc39b6bbe0e7c63419d280daa2563d0bc6994525af32f

SHA512
6fa2f4513dbf522bce91d3315c549ef5b4f45e4bfc67c28ccaeaac01962ce9219dfae151c9b1b36df0c6558231c65b23c038bf671e919432ed2a66c13f1377cc

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
304KB

MD5
13cdd7776aa7837926cd9c670a985a60

SHA1
3791d15ec0771a027fe19aadcf19ece52802b279

SHA256
e5898731859de8422d078c1aed99f78f3bf3a12dbdee7ec376fbe728c83be47b

SHA512
29ad4676d53b68dcb8134dad11ede450bcdfe1a2f580b3746e1398129a43ec48406b2c420c17c86c339a0a7f009a7a25c2da7a7eac7acc1cdda4b984c928cbcc

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
304KB

MD5
72de9778cf75c39712b730be544e39f8

SHA1
4b81ca081c3fecc24ab3784780c898ff95b559be

SHA256
82aed1f6a43d31ffb5131559549fbf7ab683123c66f8372a168fc3e757db6f0a

SHA512
497e741dc41435f425a1abeb086c712042400baa58e06b74f64d5bcb2b70721126e696dec0be4621684b1550086245fdfb57f7d00d0b51c1dce12a12f8073d23

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
304KB

MD5
007782a50bf7ba2af356a20bc970853c

SHA1
6f8a4536227f07395a819f04cb5d3f4d77ee3482

SHA256
e0ef52db404505c6967af5678ef2fa41b6ac71dc4dcbac94c8f1bd1a21d342bd

SHA512
b154c9ff84f4bb5e9230a21daff72b446b29caa5305de3de85c037a577d30da9ea258e92992306bf017b23cea8a62c94965965730ee631f21fcd000ff3facf20

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
304KB

MD5
6eed0438cf517a7fbc0c09770b0eb704

SHA1
1bceb3d4852a09058a743caa6e12d39f45ba1e9a

SHA256
320b899a86686138d0b6f810d1b0a8e670c6de00b8791689d3141cf91d650b81

SHA512
dbf8856eb2424885ab35e7d726217af5ef609d6fb85aa559a62566329d9523a4a1444c6fc5809d439d10e6bd9ee3c2d37b6db49ecc2c6f9ba00d19921ed33c1d

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
304KB

MD5
283addb126a1bae2122783fca53ed05f

SHA1
1c789e351b3af6bd57efd0e280e2adcc2c959db0

SHA256
10dd4d3eff717007151aed42c19a0d539daa8063b3514c02326e8980d154011b

SHA512
455d60133b285c7134e980b18dd5b9f1ec8881030bd3012333a82e7d70ff4320b38f4f30df4ebfb0e1e30f0a303935c0abd34e09b9c9661a7923f152335598ac

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
304KB

MD5
f82aa7f824bf1b4c985275a899c94fba

SHA1
3f729aac7854f7cdea00c0755c2e355a772d1987

SHA256
57761a6077f9f6b3164237e6a5218d44bccbdcaf346f54128b94aab3b94b0c15

SHA512
ce36ac9e0cdb72829d6c7356556b784374e842514cbef504348fc5d199b45773a8911e00be0a73afd196406bc81e173f5b0fa112eeecb37ea272671f255c4b32

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
304KB

MD5
c84a4441b85bb9d0233d3f6df9968605

SHA1
2114a7aa46bb7536f6dd2713ce5d59d7c85dd79b

SHA256
547a8c1387b31a1a80f1d714bedbeffdbbd80e4bc9a987e3673f92de996e362d

SHA512
991bbb8efd6c729d4384e0b7361c0f41888bfc678341809fccd5c65e2146f5ee04c78c6bede7e1fefd067846991b103451ab44367eeb65ebe35560e5598b0111

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
304KB

MD5
bcfe55a507621c80c170cd4ae74ba0d1

SHA1
14f811acdf0365df4169b3363449cd380865b85c

SHA256
12b633e0f0c52ed090414fc8689020dc14dc767eb1fa4676202c20f41fab1502

SHA512
208417862104c8fcb4f3ecb74a9ef14f64bc5988f56b4ae5364cff76b140899e6032cc50e15592880191805075f20f09a0a65b8696cdf72d5f6f07d44ef7b67e

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
304KB

MD5
edcdbaf677142774117da0f36bb688ee

SHA1
647fdd484ed6cbddc8cb114daeb8324447b55c52

SHA256
c76c50dc24536132f52ed3694cad73fd8362a5bb829a5fad3aae5c5d823b06c4

SHA512
e0346d2b50a9e33fb8ff1dc48454904bf1d2852181eaf3295a9fd0b3ba293b1d2c6b650246bc0bf7a7c1d3768d4247c548b291af280ca8f0424330c1df44562d

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
304KB

MD5
e18d7d0a3fe7441dc34ea01bddffd1f6

SHA1
8306bb9279ef3e70c5c2493428bf5c1798ad5cca

SHA256
eb4e85cfc4e84dee562faad23fdfb5cc6c758fad1b19dbf329972da2aee53cff

SHA512
f46811faa007be9833ac4732b3c6f08d0d1550f5667a65149ff83d4b931d8c884d069c167d1f454ff3a71c42aab82df15fb393f142928ccf1ceb8996e74c7c7c

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
304KB

MD5
a22a0407e6e1e338945e30fccabc227f

SHA1
17b24a0cccd9fbafea754048706088493714520c

SHA256
6eb7cf60fd05225f6f76e4ccc013b62e6f6d841ac15c247786c2abf0e2566076

SHA512
dfc7be07d402c43c863f2d56b4dd1b2d26c04be22a467e999d2115d258cf1fc5df30d2f69374f3c1e1d1acfdadd40dcde7a2143cc9b74c9d5b90e25600e7b969

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
304KB

MD5
89642dde46737afd1e2477314763669b

SHA1
745506b0d77e45cb8bbf549261ce158f0c18ef03

SHA256
8c843b94373600b636cd672c2752c4f5a4f7c596768b1c9ac4253fe43e2f07f5

SHA512
a448c7e3dc9a86896219f7aa7265f723c6aa36b534ebba363745b373d5fa42b199e732919c4fecb021fd3a3a1ec0fbcb53fc197198b1a5f782c946ff9c8a56a0

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
304KB

MD5
499773ea33d791d52224e3f4bdd43377

SHA1
f73167f2204ac3c80f0d59adb5146fef87b0fe5d

SHA256
44b592acc6fd85ab3352bb0c2d2ac450e86e9546a2e0bc009e6d269388c058f9

SHA512
6b5b52e3d45d07b36a0c2c01a9e976b4b2c378c34a31710c25df8794a6fa81041c9bdcfc39a7030b392e1b38a74b918facc7650849658dd2558a0bbf60d3259c

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
304KB

MD5
eecf0de4c34f2daab268fd1ddf934c84

SHA1
a17699321df1da0a5a9801c68ef400792af178f4

SHA256
49204349bf445187c996aa8784d69c82cc98a7bbc138da0b60b79600a60fba34

SHA512
fc3b222b6a7c3b0b64f97f788c3c82ab24c019983a3410985d9b907299700af92920da299a68e34935d0ee375df5fcab0f8a11d7731a4d0a82ae12ad54ba8c97

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
304KB

MD5
0f2f45477bd491be30aba97c1f5bae56

SHA1
4faf60abd0489c1a8eb67bb509ad3297d8e1694d

SHA256
b95eeb9ba5add7547644fffd0fa04910346faf7105927a13db0d3eb5769bf11d

SHA512
5a9759c3f0230c28d0651a417977044d4c2736067c7a0a43ddd5449deeaa5326998c7bae79c2dd6c2a2ab31147486a9222de375970036d11a9cf38c40a558f71

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
304KB

MD5
c2f5941853dfa895021acf0e07581f7e

SHA1
998ea63ce4a2cc2336a136ebe9d675d8bae857fa

SHA256
6828abebf98186d76dabdce2396ca0c0e76e8b17041c56c05fc8c2785a4993c1

SHA512
ede86218f9f8ed1f758134387f57b45d7a3f19f244fddd51f194c835ee74d8c7e80d90d340d09c21742c52af6c00b5a349dd5ee36b3d00e775effc82ecf9ae01

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
304KB

MD5
9af2e36a9d8d7956a8d336ff8f9253e8

SHA1
787f93ced7918e50fb0447c43aa9314e2ed04819

SHA256
1165c15cca7a5122e89b1b4df447ace235335d1c247ffaa853e4da81c73207dd

SHA512
d1118a3a5f615feb906e6edec2d4c5b1c772264e016ed34749e96090249e9d707702298d87ebd0418b1fcbcc68f84a9273c58e28d2b8982eaa9921deb7f0a862

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
304KB

MD5
094de5c8879f7a9eba044c0c961f1373

SHA1
e5e42daa38387f8fba656481a3d6ac0487ca4fd5

SHA256
87e19d36bff70c7dec0e298add29aeb5bed4552015325063616245526c0342bd

SHA512
974ab0649808c5a337472b166694cbbd1c1704898a04526c084768f68891c669a182c55933db8406e8fd6a36fb834c69b2a304378cec939b284ef3ffbf344b2b

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
304KB

MD5
e678bc2c144978e00faf84308ce7de8e

SHA1
69e7087956e867630857d3f0b38cbf4d2c079f12

SHA256
165dd376bfaa5a19a3df48aa13c506f86a0faa8dca78c40f7add42bd6d5a2c45

SHA512
924aa287837d0ea89708f3e5b434cb9206834c4113c0a19ad2e290ec4ca28689c7ce075851cbe18ad56b694b67036093f846ff0c4bc0803b0d62c7e9d8213e0f

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
304KB

MD5
52e4ba648e070e6eb8cfaaee415a06f6

SHA1
14ec71ce01c0a4a36cdda1c242a8f152285e9f99

SHA256
13c463692f959897c80890700351a0b569388d9a7f9fd1793a23120c2c08153e

SHA512
acdca058fabdcf7a0dc03e1aedeb98f87e6a2cc99679089b64cd5994f7732f378c6b26ef656e621b63a77735130c8120a21df7e1a8f61f824ea0f395b8433052

Download Submit
C:\Windows\SysWOW64\Jpcnha32.dll

Filesize
7KB

MD5
5b4c304ccd3835252df9448d0683b156

SHA1
4677a3d19e7dabfb972ac555817037200424ac68

SHA256
dcee78fdcf0ee33f2f41209a161376f8f21d005ade12f130b265e03136cd0278

SHA512
dba7ce4e55420611f31a0ad4571484e918ef8eff38850284d7c16c5e1ad42bfc470190521a5d9abb32764ad2d15ab408569bdf6f5f1ae60e52da35188ae5bd64

Download Submit
memory/224-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/224-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1264-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1264-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1444-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1444-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1692-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1692-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2480-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2480-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-222-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2972-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2972-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3320-235-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3320-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3416-227-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3416-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3428-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3428-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3972-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3972-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4024-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4024-230-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4628-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4628-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4644-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4644-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4872-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4872-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-218-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4952-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4952-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5116-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5116-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads